Bug ID | 1196224 |
---|---|
Summary | User Kerberos Tickets are not refresh or get destroyed after Update to samba 4.15.4 |
Classification | openSUSE |
Product | openSUSE Distribution |
Version | Leap 15.3 |
Hardware | x86-64 |
OS | openSUSE Leap 15.3 |
Status | NEW |
Severity | Critical |
Priority | P5 - None |
Component | Samba |
Assignee | samba-maintainers@SuSE.de |
Reporter | andreas.hauffe@tu-dresden.de |
QA Contact | samba-maintainers@SuSE.de |
Found By | --- |
Blocker | --- |
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Build Identifier: At the end of January there was an update of Samba 4.13 to 4.15. Since this time all our clients, which are Windows-AD members, doesn't keep the user kerberos tickets like before. Either the tickets are not refreshed or the tickets are destroyed. This results in a crashed KDE Plasma in the morning when the users try to login again, since the clients/user accounts weren't able to write on the kerberized NFS-Home mounts after the tickets got lost. Reproducible: Always Steps to Reproduce: 1. Configure PAM-Winbind for User logins 2. Wait some hours and the user tickets are not in the ticket cache any more Actual Results: Crashed KDE Plasma due to unwriteable home mounts Expected Results: refreshed user tickets in the ticket cache smb.conf [global] netbios name = ilr114l security = ADS workgroup = ILRW realm = ILRW.ING.DOM.TU-DRESDEN.DE dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab template homedir = /home/home_ilrw/%U template shell = /bin/bash winbind refresh tickets = yes winbind separator = + idmap config * : backend = tdb idmap config * : range = 2000-2999 idmap config ILRW : backend = rid idmap config ILRW : range = 3000-9999 # UID aus RID fuer ILRW idmap config DOM : backend = rid idmap config DOM : range = 10000-9999999 # UID aus RID fuer DOM krb5.conf [libdefaults] default_realm = ILRW.ING.DOM.TU-DRESDEN.DE dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] ILRW.ING.DOM.TU-DRESDEN.DE = { auth_to_local = RULE:[1:$0@$1](ILRW\.ING\.DOM\.TU-DRESDEN\.DE@.*)s/\.ING\.DOM\.TU-DRESDEN\.DE@/+/ auth_to_local = RULE:[1:$0@$1](DOM\.TU-DRESDEN\.DE@.*)s/\.TU-DRESDEN\.DE@/+/ auth_to_local = DEFAULT }